Attackers are tricking bank customers into installing fake Android banking app updates from GitHub so they can steal card data and PINs. D3Lab says newer NFCShare variants, seen since May 14, target banks mainly in Italy and Spain after victims visit phishing sites impersonating real banks. The malware abuses near-field communication (NFC) on Android to read card details via IsoDep and EMV commands, then sends the data to command-and-control servers over WebSocket.
Why it matters: This can lead directly to payment-card fraud because victims are persuaded to hand over both card details and their PIN during a fake security check. Android users should only install banking apps from Google Play and treat any request to scan a bank card with their phone or sideload an update from GitHub as suspicious.
Bill Toulas
2026.06.08
100% relevant
This article establishes a concrete, current NFCShare campaign expansion, including new GitHub-hosted delivery infrastructure, broader bank targeting in Europe, and updated technical details on how the malware steals card data.
← Back to all stories